Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 12:36
Static task
static1
Behavioral task
behavioral1
Sample
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe
Resource
win10v2004-20240508-en
General
-
Target
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe
-
Size
8.9MB
-
MD5
11960e3e037341c6a3853c5654ba1b18
-
SHA1
59e1bbe18ab48d8536abaf4ec44cd46321bc4c4f
-
SHA256
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0
-
SHA512
8fb6872a74e24f79a66081bdf3b7220c571d65dfc70a32237ec71490e6138cd7e096c09d0945686da7c4417a8ae24af81bfc1a5294ea79094db0b838e296699a
-
SSDEEP
196608:5LDeQYhr1uJ9jSOBIt0IrT+tk5sLU+hTKNMI9:hKmJJSQICIrT+tk56hTKNp9
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
mlauncher.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mlauncher.exe -
Drops file in Drivers directory 1 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exedescription ioc process File created C:\Windows\system32\drivers\AngelmWJ.sys 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 8512 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Windows\SysWOW64\XYDsoftWpe.dll acprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mlauncher.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mlauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mlauncher.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Defender Firewall.exemlauncher.exepid process 8652 Windows Defender Firewall.exe 8732 mlauncher.exe -
Loads dropped DLL 5 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.execmd.exepid process 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8708 cmd.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\mlauncher.exe themida -
Processes:
resource yara_rule \Windows\SysWOW64\XYDsoftWpe.dll upx behavioral1/memory/2508-7986-0x0000000010000000-0x000000001020B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Defender Firewall.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Terms.exe" Windows Defender Firewall.exe -
Processes:
mlauncher.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mlauncher.exe -
Drops file in System32 directory 6 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exedescription ioc process File opened for modification C:\Windows\SysWOW64\XYDsoftWpe.dll 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe File created C:\Windows\SysWOW64\XYDsoftWpe.dll 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe File opened for modification C:\Windows\SysWOW64\Windows Defender Firewall.exe 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe File created C:\Windows\SysWOW64\Windows Defender Firewall.exe 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe File opened for modification C:\Windows\SysWOW64\nfapi.dll 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe File created C:\Windows\SysWOW64\nfapi.dll 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exeWindows Defender Firewall.exemlauncher.exepid process 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8732 mlauncher.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe -
Drops file in Windows directory 2 IoCs
Processes:
Windows Defender Firewall.exedescription ioc process File created C:\Windows\Terms.exe Windows Defender Firewall.exe File opened for modification C:\Windows\Terms.exe Windows Defender Firewall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exeWindows Defender Firewall.exemlauncher.exepid process 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 8652 Windows Defender Firewall.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8732 mlauncher.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 468 -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exeWindows Defender Firewall.exepid process 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe 8652 Windows Defender Firewall.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.execmd.execmd.exedescription pid process target process PID 2508 wrote to memory of 8408 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 2508 wrote to memory of 8408 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 2508 wrote to memory of 8408 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 2508 wrote to memory of 8408 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 8408 wrote to memory of 8512 8408 cmd.exe netsh.exe PID 8408 wrote to memory of 8512 8408 cmd.exe netsh.exe PID 8408 wrote to memory of 8512 8408 cmd.exe netsh.exe PID 8408 wrote to memory of 8512 8408 cmd.exe netsh.exe PID 2508 wrote to memory of 8652 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe Windows Defender Firewall.exe PID 2508 wrote to memory of 8652 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe Windows Defender Firewall.exe PID 2508 wrote to memory of 8652 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe Windows Defender Firewall.exe PID 2508 wrote to memory of 8652 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe Windows Defender Firewall.exe PID 2508 wrote to memory of 8708 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 2508 wrote to memory of 8708 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 2508 wrote to memory of 8708 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 2508 wrote to memory of 8708 2508 17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe cmd.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe PID 8708 wrote to memory of 8732 8708 cmd.exe mlauncher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe"C:\Users\Admin\AppData\Local\Temp\17d359336bdd68246d4041036c5ab62f85f1a15cdad53095e3fe0203449752f0.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.execmd.exe /c NetSh Advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
PID:8408 -
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:8512
-
-
-
C:\Windows\SysWOW64\Windows Defender Firewall.exe"C:\Windows\System32\Windows Defender Firewall.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:8652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "mlauncher.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:8708 -
C:\Users\Admin\AppData\Local\Temp\mlauncher.exe"mlauncher.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8732
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5e03c00628a68172dd5decb6fb02cd3e1
SHA1f17a971b912c56a3f14de8c01c466d91a2a07b4d
SHA2560be43e4a5649ea0540b774922c154a8cded6e9bbe0375a5745d19aaa87793741
SHA51238d1b8b718230be1d806a0f956dae9ce461e15eeeb2b6b98da3e4d567f5fdf94a089ad423895610166f091ca67146f64a16596925276787fea3a5c33e16d97e5
-
Filesize
1.0MB
MD5cfceec08193aaa1959ad3b8ad916b434
SHA1f17372f7fea0e534ebceb5e74e2871e62d4d523c
SHA256212604ea4159e7fe8f8a101aaa456c0198c0a75296079fc8d2fb14b28e1ff19e
SHA5126b19a37bcefd06fd9d658b716b7face7eb187ba796a8933afde1c2c31bff4e096ca7390544bd00370c121da9a6741f66dcb799acc10f02c0c169eff66375618e
-
Filesize
611KB
MD51ae8f19cf62d49f6a9919e78349aeb3a
SHA1702be239f0e6b5009188d76eb9d58d987b1e9079
SHA2565d8068037dc0bf29bc659ed47b33c20e40e14f60191485dadc1da49a4fbd6286
SHA512d09223bb37f57df265443d83fd7b347951489fc7cc6591403ec7047587e6a4c175fbfdd4292b82cef15defcbaef6c79a29d54588212d60073c76b6c425c15448
-
Filesize
320KB
MD521964c506f808bb02b23e2bd3353398a
SHA1e32953aadd504fed57b624b220bdf661a5e7e7bd
SHA2568ed39eb9730c22055ea7906633a53250c6480a8cae9483224113502cdc3eeeef
SHA5128e614cea2cbea50aaeb7694eac78f2b8d3a0b339f801f65ab47b8e021a133f2c73b8eaf3589cafbc61b3266b61e3ac2c2e03569ee8c8192685f00d1276ee7b2f